The precept behind BYOVD is easy sufficient: as soon as an attacker has gained admin privileges by an account takeover, they load a reputable, however previous and susceptible vendor driver, inside which lies an exploitable vulnerability. This extends the facility of admin management to kernel degree, permitting them to focus on the EDR drivers in a direct approach.
EDR instruments’ vulnerability to a more moderen technology of evasion methods has been recognized for a while; a 2024 research by safety firm Trellix highlighted this weak point, and earlier this 12 months, one other safety vendor, Huntress, reported a current case during which BYOVD had been used to load and goal a susceptible previous driver to close down EDR defenses.
“The largest protection impediment is the truth that EDR killers depend on susceptible non-malicious drivers which might be usually nonetheless used legitimately,” famous Souček.
